Apply hotlink protection by default

defaults/main.yml

@@ -255,3 +255,14 @@ nginx_static_resource_filename_extensions: "{{ nginx_static_resource_filename_ex
 # templates/etc/php/VERSION/fpm/pool.d/ACCOUNT-PROJECT.conf.j2
 # -> php_value[newrelic.appname]
 php_fpm_newrelic_appname: "{{ linux_owner }}/{{ project }}"
+
+# -----------------------------------------------
+# Hotlink protection - Prevent other domains from serving content (images) from your website.
+# See http://nginx.org/en/docs/http/ngx_http_referer_module.html#valid_referers
+# -----------------------------------------------
+# Default behaviour: Protect from hotlinking by other domains. Does not prevent requests from cli tools or anything that omits a referer header.
+# To deny *all* hotlinking (i.e. from agents that don't pass a referer), set this to just "server_names" instead.
+# To turn off hotlink protection, set this to an empty string.
+# If you serve content from other domains, you'll need to add them to this pattern.
+# -----------------------------------------------
+vhost_valid_referers_pattern: 'none blocked server_names'

templates/etc/nginx/includes/ACCOUNT-PROJECT.core.conf.j2

@@ -124,6 +124,16 @@
     return 403;
   }
 
+{% if vhost_valid_referers_pattern != '' %}
+  # Protect stuff in sites/defualt/files from hotlinking (static content is usually matched by the by a different rule, so this is generally only applies to pdfs etc)
+  location ~ {{ nginx_drupal_uploads_dir_pattern }} {
+    valid_referers {{ vhost_valid_referers_pattern }};
+    if ($invalid_referer) {
+        return 403;
+    }
+  }
+{% endif %}
+
   # Don't serve anything from private diretories. BTW these should really be outside of your web root anyway.
   location ~ {{ nginx_drupal_private_dir_pattern }} {
     return 403;
@@ -187,6 +197,12 @@
   }
   # Image cache doesn't work without this.
   location ~ {{ image_cache_location }} {
+{% if vhost_valid_referers_pattern != '' %}
+    valid_referers {{ vhost_valid_referers_pattern }};
+    if ($invalid_referer) {
+        return 403;
+    }
+{% endif %}
     {{ vhost_try_files_rewrite_conf | indent(4, false) }}
   }
 
@@ -248,6 +264,12 @@
 
   # Drupal 7: Allow drupal to act as a broker for files served from the private dir
   location ~* /system/files/ {
+{% if vhost_valid_referers_pattern != '' %}
+    valid_referers {{ vhost_valid_referers_pattern }};
+    if ($invalid_referer) {
+        return 403;
+    }
+{% endif %}
     {{ vhost_try_files_rewrite_conf | indent(4, false) }}
   }
 
@@ -270,6 +292,12 @@
 
   # Drupal 8: Allow drupal to act as a broker for files served from the private dir
   location ~* /system/files/ {
+{% if vhost_valid_referers_pattern != '' %}
+    valid_referers {{ vhost_valid_referers_pattern }};
+    if ($invalid_referer) {
+        return 403;
+    }
+{% endif %}
     {{ vhost_try_files_rewrite_conf | indent(4, false) }}
   }
 
@@ -344,9 +372,16 @@
 
 {% if web_application != 'proxy_pass' %}
   # Dont spam log files, and cache static content forever.
+  # Be aware that this rule matches a lot of stuff in sites/default/files.
   location ~* \.({{ nginx_static_resource_filename_extensions | join('|') }})$ {
     expires max;
     log_not_found off;
+{% if vhost_valid_referers_pattern != '' %}
+    valid_referers {{ vhost_valid_referers_pattern }};
+    if ($invalid_referer) {
+      return 403;
+    }
+{% endif %}
 {% if nginx_rewrite_static_content %}
     {{ vhost_try_files_rewrite_conf | indent(4, false) }}
 {% endif %}